Autonomous vehicle data management platform

ABSTRACT

A data management platform for Autonomous Vehicles (AVs) is provided. The data management platform can receive, from an AV at a first time, a first copy of a manifest including a creation history of a transformed object generated by the AV and a data integrity value corresponding to the transformed object. The data management platform can receive, from a second computing system at a second time, a second copy of the manifest. The data management platform can reconcile the first copy and the second copy. The data management platform can receive, from the second computing system at a third time, a request to upload the transformed object. The data management platform can validate the transformed object stored in storage of the first computing system based on the data integrity value included in the manifest.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of U.S. patent applicationSer. No. 16/456,620, filed Jun. 28, 2019, and entitled “AUTONOMOUSVEHICLE DATA MANAGEMENT PLATFORM,” the disclosure of which is herebyincorporated by reference in its entirety and for all purposes.

TECHNICAL FIELD

The subject matter of this disclosure relates in general to the field ofautonomous vehicles, and more particularly, to systems and methods formanaging autonomous vehicle data.

BACKGROUND

An autonomous vehicle (AV) is a motorized vehicle that can navigatewithout a human driver. The AV can include a plurality of sensorsystems, such as a camera sensor system, a Light Detection and Ranging(LIDAR) sensor system, and a Radio Detection and Ranging (RADAR) sensorsystem, among others. The AV may operate based upon sensor signalsoutput by the sensor systems. For example, the sensor signals can beprovided to a local computing system in communication with the pluralityof sensor systems and a processor can execute instructions based uponthe sensor signals to control one or more mechanical system of the AV,such as a vehicle propulsion system, a braking system, a steeringsystem, and so forth.

In addition to sensor data for controlling the vehicle, the AV cancollect various other types of data, such as battery or fuel consumptiondata, navigational data (e.g., geographical coordinates, routes, mappingdata, etc.), traffic conditions, road conditions, weather conditions,and other data relating to the AV or its environment. If the AV is partof a ridesharing service, the AV can also collect passenger data (e.g.,demographic data, passenger behavior data, etc.), trip data (e.g.,pick-up and drop-off locations, fare, trip rating, etc.), client devicedata, and so forth. The AV can process some of its data “on-line” or inreal-time or near real-time for immediate maneuvering of the vehicle.However, analysis of the AV data “off-line” or at a later time can alsobe critical for the safe, legal, and efficient operation of the vehicle.

BRIEF DESCRIPTION OF THE FIGURES

To provide a more complete understanding of the present disclosure andfeatures and advantages thereof, reference is made to the followingdescription, taken in conjunction with the accompanying drawings, inwhich:

FIG. 1 illustrates an example of a system for an Autonomous Vehicle (AV)system in accordance with an embodiment;

FIG. 2 illustrates an example of an AV data management platform agent inaccordance with an embodiment;

FIG. 3 illustrates an example of an AV data management platformappliance in accordance with an embodiment;

FIG. 4 illustrates an example of an AV data management platform inaccordance with an embodiment;

FIGS. 5A and 5B illustrate an example of a process for managing AV datain accordance with an embodiment; and

FIGS. 6A and 6B illustrate examples of computing systems in accordancewith some embodiments.

DETAILED DESCRIPTION

The detailed description set forth below is intended as a description ofvarious configurations of embodiments and is not intended to representthe only configurations in which the subject matter of this disclosurecan be practiced. The appended drawings are incorporated herein andconstitute a part of the detailed description. The detailed descriptionincludes specific details for the purpose of providing a more thoroughunderstanding of the subject matter of this disclosure. However, it willbe clear and apparent that the subject matter of this disclosure is notlimited to the specific details set forth herein and may be practicedwithout these details. In some instances, structures and components areshown in block diagram form in order to avoid obscuring the concepts ofthe subject matter of this disclosure.

The present technology can involve the gathering and use of dataavailable from various sources to improve quality and experience. Thepresent disclosure contemplates that in some instances, this gathereddata may include personal information. The present disclosurecontemplates that the entities involved with such personal informationrespect and value privacy policies and practices.

The various types of data captured by an Autonomous Vehicle (AV) canhave tremendous value in helping to operate the AV and related services.For example, AV data can be used to improve object classification (e.g.,identifying different types of objects on the road, such as pedestrians,bicycles, emergency vehicles, etc.), event classification (e.g.,identifying various driving situations, such as lane merges, doubleparked cars, unprotected left turns, near collisions, etc.), mapping androuting, maneuvering, passenger safety, passenger experience (e.g.,smooth ride, comfortable cabin temperature, etc.), trip estimates (e.g.,trip time, fare, etc.), battery power or fuel efficiency, and so forth.Further improvements can be achieved by taking advantage of the networkeffects of collecting AV data from a fleet of AVs. However, collectionof AV data can be limited by the computing resources (e.g., processing,memory, storage, network bandwidth, etc.) available to individual AVsand a centralized repository (e.g., data center, cloud computingnetwork, etc.) for the AV data. AVs typically have fewer computingresources, and real-time or near real-time operation of the AV can havepriority for these resources. In addition, available network bandwidthcan be highly unpredictable and especially scarce to the AVs and thecentralized repository alike. A system for managing AV data should bescalable to support a variety of different computing environments havinga high degree of variance in available computing resources.

Another challenge in collecting AV data can be the variable amount oftime it takes to transfer data from individual AVs to a centralizedrepository. An AV fleet may operate according to certain dispatching orscheduling rules, such as maximizing utilization of the AV fleet,optimizing pick-up and drop-off routes, fulfilling passenger preferencesfor the type of AV or service amenities, and so forth. A system formanaging AV data should be flexible enough to ingest data over differentlengths of time to accommodate these dispatching and scheduling rules.In addition, the AV should be able to initiate data transfer at one siteand then resume later at a different site.

Other constraints in collecting AV data can be imposed by securityrequirements, data integrity requirements, and battery power or fuelrequirements, among other rules and requirements. A system for managingAV data should be able to transfer data securely, accurately, andquickly (e.g., within the time it takes to recharge or refuel the AV).

Various embodiments of the present disclosure can address the above andother challenges of managing AV data. In particular, an AV datamanagement platform can be provided that is highly reliable, scalable,and flexible. In some embodiments, an AV can partition raw data unitscaptured by its sensors, mechanical systems, and other instruments intoingestion objects for consumption by other computing systems, such ascomputing systems incorporated by other AVs, AV servicing stations, datacenters (e.g., private enterprise or co-location networks, Cloud ServiceProvider (CSP) networks, hybrid clouds, multi-clouds, etc.), and so on.The AV can apply one or more transformations to the ingestion objects togenerate transformed objects and associated manifests, and store thetransformed objects and associated manifests in local storage. Eachmanifest can include a history of how its corresponding raw data unitswere partitioned and how its corresponding ingestion object wastransformed and a data integrity value (e.g., checksum, hash value,error detection code, digital signature, Cyclic Redundancy Check (CRC),etc.) representing its corresponding transformed object. In someembodiments, the AV can offload first copies of the manifests inreal-time or near real-time to one or more data center computingsystems. At a later time, the AV can offload second copies of themanifests and initiate offloading of the transformed objects to one ormore AV servicing station computing systems when the AV receivesservicing (e.g., recharging or refueling, data uploading, maintenance,etc.) at the station. The one or more AV servicing station computingsystems can upload the second copies of manifests and initiate uploadingof the transformed objects to the one or more data center computingsystems. The one or more data center computing systems can attempt toreconcile the first copies of the manifests with corresponding secondcopies of the manifest. If the copies of the manifests match, and the AVcompletes offloading the corresponding transformed objects, then the oneor more AV servicing station computing systems can notify the AV that itis safe erase the manifests and corresponding transformed objects fromthe AV's local storage. If the copies of the manifests cannot bereconciled and a Service Level Agreement (SLA) applicable to thetransformed objects is violated, then the AV can be docked for furtherdiagnosis. If the copies of the manifests cannot be reconciled and noSLA is applicable, then error information regarding offloading oruploading the transformed objects can be annotated and the transformedobjects can be discarded.

Numerous benefits can flow from the data management platform. Byreceiving the first copies of manifests in real-time or near real-time(or at least before the transformed objects have completed offloadingfrom the AV to the AV servicing station), the data management platformcan learn whether the AV is having issues with its data processingpipeline (e.g., capturing raw data, partitioning the raw data intoingestion objects, transforming the ingestion objects, determiningmanifests for the transformed objects, offloading first copies of themanifests to the data center, offloading second copies of the manifestsand the transformed objects to the servicing station, etc.). If theerror is serious enough (e.g., violates an SLA), immediate action can betaken, such as docking the AV at a servicing station for furtherdiagnosis.

When the AV later attempts to offload its data at a servicing station,the servicing station can upload the second copies of manifests to thedata center. The second copies of manifests can arrive while offloadingof the transformed objects is still in progress. This can be implicitbecause of the sizes of the manifests are small relative to thetransformed objects, or this can be explicitly configured.Reconciliation of pairs of corresponding manifests can quickly determinewhether the AV is having data issues while the AV is still within theservicing station Thus, the issues can be directly addressed to preventfurther data loss if warranted (e.g., violates an SLA).

On the other hand, if the first and second copies of manifests match,data integrity has been assured. After the servicing station validatesthe offloaded transformed objects based on the data integrity values setforth in corresponding manifests, the servicing station can notify theAV that it is safe to erase the offloaded transformed objects andcorresponding manifests to free up local storage. In addition, the datacenter and/or the servicing station can optimize when to upload thetransformed objects to take advantage of times when there is lessnetwork congestion and/or times when CSP costs are minimal.

The design of the data management platform also enhances flexibility ofthe overall AV system. The system is horizontally scalable at each levelof the data hierarchy, enabling for capacity to be increased based onthe respective data demands at the fleet level, servicing station level,and data center level. The data management platform can supportservicing stations and AVs having disparate resources. Data offloadingby the AV may no longer a bottleneck during servicing; the AV can comeand go from servicing station to servicing station as soon it has beenrecharged or refueled, enabling maximization of the AV's utilizationduring busier times.

Another benefit of the data management platform is its adaptability.Each stage of the data management process is configurable by the AV, theAV servicing station, and/or the data center and can be adjusteddepending on their circumstances. For example, the AV, servicingstation, and/or data center can dynamically configure a size range ofingestion objects to optimize between processing, memory, storage, ornetwork bandwidth utilization, the time the AV spends at the servicingstation, and so forth. Likewise, the AV, servicing station, and/or datacenter can dynamically tune what transformations are performed oningestion objects to balance resource utilization. The transformationscan include missing value processing, deduplication, outlier or noiseprocessing, generalization, rescaling, aggregation, discretization,encryption, decryption, or a non-linear transformation. Numerous otherfunctions and advantages are described and suggested below in accordancewith the various embodiments.

Turning now to the drawings, FIG. 1 illustrates an example of a systemfor an AV system 100. One of ordinary skill in the art will understandthat, for the AV system 100 and any system discussed in the presentdisclosure, there can be additional or fewer components in similar oralternative configurations. The illustrations and examples provided inthe present disclosure are for conciseness and clarity. Otherembodiments may include different numbers and/or types of elements butone of ordinary skill the art will appreciate that such variations donot depart from the scope of the present disclosure.

In this example, the AV system 100 includes an AV 102, an AV servicingstation 150, and a data center 160. The AV 102, the AV servicing station150, and the data center 160 can communicate with each other over one ormore networks, such as a public network (e.g., a public cloud, theInternet, etc.), a private network (e.g., a local area network, aprivate cloud, a virtual private network, etc.), and/or a hybrid network(e.g., a multi-cloud or hybrid cloud network, etc.).

The AV 102 can navigate about roadways without a human driver based onsensor signals generated by multiple sensor systems 104, 106, and 108.The sensor systems 104-108 can include different types of sensors andcan be arranged about the AV 102. For instance, the sensor systems104-108 can comprise Inertial Measuring Units (IMUs) (e.g.,accelerometers, gyroscopes, magnetometers, etc.), image sensors (e.g.,still image cameras, video cameras, etc.), light sensors (e.g., LIDARsystems, ambient light sensors, infrared sensors, etc.), GlobalPositioning System (GPSs), RADAR systems, audio sensors (e.g.,microphones, Sound Navigation and Ranging (SONAR) systems, ultrasonicsensors, etc.), speedometers, tachometers, odometers, altimeters, tiltsensors, impact sensors, seat occupancy sensors, open/closed doorsensors, temperature sensors, pressure sensors, rain sensors, and soforth. In this example, the sensor system 104 can be a RADAR system, thesensor system 106 can be a first image sensor system (e.g., still imageor video cameras), and the sensor system 108 can be a second imagesensor system (e.g., LIDAR system). Other embodiments may include anyother number and type of sensors.

The AV 102 can also include several mechanical systems that can be usedto maneuver or operate the AV 102. For instance, the mechanical systemscan include a vehicle propulsion system 130, a braking system 132, asteering system 134, a safety system 136, and a cabin system 138, amongother systems. The vehicle propulsion system 130 can include an electricmotor, an internal combustion engine, or both. The braking system 132can include an engine brake, brake pads, actuators, and/or any othersuitable componentry configured to assist in decelerating the AV 102.The steering system 134 can include suitable componentry configured tocontrol the direction of movement of the AV 102 during navigation. Thesafety system 136 can include lights and signal indicators, a parkingbrake, airbags, and so forth. The cabin system 138 can include cabintemperature control systems, in-cabin entertainment systems, and soforth. In some embodiments, the AV 102 may not include human driveractuators (e.g., steering wheel, handbrake, foot brake pedal, footaccelerator pedal, turn signal lever, window wipers, etc.) forcontrolling the AV 102. Instead, the cabin system 138 can include one ormore client interfaces (e.g., GUIs, VUIs, etc.) for controlling certainaspects of the mechanical systems 130-138.

The AV 102 can additionally include a local computing system 110 that isin communication with the sensor systems 104-108, the mechanical systems130-138, the AV servicing station 150, and the data center 160, amongother systems. The local computing system 110 can include one or moreprocessors and memory including instructions that can be executed by theone or more processors. The instructions can make up one or moresoftware stacks or systems responsible for controlling the AV 102,communicating with the AV servicing station 150, the data center 160,and other systems, receiving inputs from users, logging metricscollected by the sensor systems 104-108 and users, and so forth. In thisexample, the local computing system 110 includes a control stack 112, aplanning stack 114, a communication stack 116, a latency stack 118, andan AV data management platform agent 120, among other stacks andsystems.

The control stack 112 can manage the operation of the vehicle propulsionsystem 130, the braking system 132, the steering system 134, the safetysystem 136, and the cabin system 138. The control stack 112 can receivesensor signals from the sensor systems 104-108 as well as communicatewith other stacks of the local computing system 110 to effectuateoperation of the AV 102. In some embodiments, the control stack 112 maycarry out operations in concert with one or more other stacks or systemsof the AV 102.

The planning stack 114 can determine how to maneuver or operate the AV102 safely in its environment. For example, the planning stack 114 canbe provided with the location, speed, and direction of the AV 102, mapor route information, data regarding objects sharing the road with theAV 102 (e.g., pedestrians, bicycles, vehicles, ambulances, buses, cablecars, trains, traffic lights, lanes, road markings, etc.) or certainevents occurring during a trip (e.g., emergency vehicle blaring a siren,intersections, occluded areas, street closures for construction orstreet repairs, double-parked cars, etc.), traffic rules and othersafety standards or practices for the road, user input, and otherrelevant data for directing the AV 102 from one point to another. Theplanning stack 114 can determine multiple sets of one or more mechanicaloperations that the AV 102 can perform (e.g., go straight at a specifiedrate of acceleration, including maintaining the same speed ordecelerating; turn on the left blinker, decelerate if the AV is above athreshold range for turning, and turn left; turn on the right blinker,accelerate if the AV is stopped or below the threshold range forturning, and turn right; decelerate until completely stopped andreverse; etc.), and select the best one to meet changing road conditionsand events. If something unexpected happens, the planning stack 114 canselect from multiple backup plans to carry out. For example, whilepreparing to change lanes to turn right at an intersection, anothervehicle may aggressively cut into the destination lane, making the lanechange unsafe. The planning stack 114 would have already determined analternative plan for such an event, and upon the event occurring, helpto direct the AV 102 to go around the block instead of blocking itscurrent lane while waiting for an opening to change lanes. In someembodiments, the planning stack 114 can be a part of the control stack112.

The communication stack 116 can transmit and receive signals between thestacks and systems of the AV 102 and between the AV 102, the AVservicing station 150, the data center 160, and other remote systems.The communication stack 116 can enable the local computing system 110 toexchange information remotely over a network, such as through an antennaarray or interface that can provide municipal Wi-Fi, cellular (e.g.,Third Generation (3G), Fourth Generation (4G), Long-Term Evolution(LTE), 5th Generation (5G), etc.), or other wireless Wide Area Network(WAN) or remote connection. The communication stack 116 can alsofacilitate local exchange of information, such as through a wiredconnection (e.g., a user's mobile computing device docked in an in-cardocking station or connected via Universal Serial Bus (USB), the localcomputing system 110, etc.) or a local wireless connection (e.g.,Wireless Local Area Network (WLAN), Bluetooth®, infrared, etc.).

The latency stack 118 can utilize timestamps on communications to andfrom the data center 160 to determine if a communication has beenreceived from the data center 160 in time to be useful. For example,when a stack of the local computing system 110 requests feedback fromthe data center 160 on a time-sensitive basis, the latency stack 118 candetermine if a response was timely received from the data center 160 asinformation can quickly become too stale to be actionable. When thelatency stack 118 determines that a response has not been receivedwithin a threshold, the latency stack 118 can enable other stacks orsystems of the AV 102 or a user to make necessary decisions or toprovide the needed feedback.

The AV data management platform agent 120 can retrieve raw AV datastored locally by the AV, process the raw AV data so that it is suitablefor transfer to the AV servicing station 150, and generate manifests toensure the processed AV data is ultimately received by the data center160. In some embodiments, the AV data management platform agent 120 canexecute as a part of a recharging or refueling process or other AVservicing. An example of an implementation of the AV data managementplatform agent 120 is discussed in further detail below with respect toFIG. 2 .

The AV servicing station 150 can be a location for providing variousservicing for the AV 102, such as refueling or recharging the AV,offloading AV data, recalibrating sensors, performing diagnostics andmaintenance, and the like. The AV servicing station 150 can include oneor more computing systems, including an AV data management platformappliance 152. The AV data management platform appliance 152 can receiveAV data offloaded from the AV 102 and transmit the AV data to the datacenter 160. An example of an implementation of the AV data managementappliance 152 is discussed in further detail with respect to FIG. 2 .

The data center 160 can be a private cloud (e.g., an enterprise network,a co-location provider network, etc.), a public cloud (e.g., anInfrastructure as a Service (IaaS) network, a Platform as a Service(PaaS) network, a Software as a Service (SaaS) network, or other CloudService Provider (CSP) network), a hybrid cloud, a multi-cloud, and soforth. The data center 160 can include one or more computing systemsremote to the local computing system 110 and the AV servicing station150 for managing a network of AV servicing stations and a fleet of AVs.In some embodiments, the data center 160 can support a ridesharingservice, a delivery service, a remote/roadside assistance service,street services (e.g., street view, street patrol, street cleaning,street metering, parking reservation, etc.), and the like.

The data center 160 can send and receive various signals to and from theAV 102 and the AV servicing station 150. These signals can includereporting data for training and evaluating machine learning algorithms,roadside assistance requests, software updates, ridesharing pick-up anddrop-off instructions, and so forth. In this example, the data center160 includes an analysis stack 162, a user interface 154, a remoteassistance stack 156, a ridesharing service stack 158, and an AV datamanagement platform 170, among other stacks, platforms, and systems.

The analysis stack 162 can receive data from the AV 102 and/or the AVservicing station 150, and analyze the data to train or evaluate machinelearning algorithms for operating the AV 102. The analysis stack 162 canalso perform analysis pertaining to data associated with one or moreerrors or constraints reported by the AV 102 and/or the AV servicingstation 150.

The user interface 154 can present metrics, video, pictures, sounds, andso forth that are reported from the AV 102 and/or the AV servicingstation 150 to a human operator of the data center 160. The userinterface 154 can further receive input instructions from a humanoperator that can be sent to the AV 102 and/or the AV servicing station150.

The remote assistance stack 156 can generate and transmit instructionsregarding the operation of the AV 102. For example, in response to anoutput of the analysis stack 162 or the user interface 154, the remoteassistance stack 156 can prepare instructions for one or more stacks orsystems of the AV 102.

The ridesharing service stack 158 can interact with client computingdevices (not shown), such as servers, desktops, laptops, tablets,smartphones, smart wearable devices (e.g., smart watches, smarteyeglasses or other Head-Mounted Displays (HMDs), smart ear pods orother smart in-ear, on-ear, or over-ear devices, etc.), gaming systems,or other general purpose computing devices for supporting a ridesharingservice. The client computing devices may be users' mobile computingdevices or computing devices integrated with the AV 102 (e.g., the localcomputing system 110). The ridesharing service stack 158 can receiverequests to be picked up or dropped off from the client computing deviceand dispatch the AV 102 for the trip.

FIG. 2 illustrates an example of an implementation of the AV datamanagement platform agent 120 for the AV 102. The AV data managementplatform agent 120 can include an AV storage system 200, a partitioner210, a transformer 220, and an offloader 230. The AV storage system 200can comprise a collection of data units (e.g., files, blocks, objects,etc.) representing various types of raw data captured by the AV 102,such as sensor data, battery or fuel consumption data, navigational data(e.g., geographical coordinates, routes, mapping data, etc.), trafficconditions, road conditions, weather conditions, and other data relatingto the AV 102 or its environment. In some embodiments, the data units202 can also represent passenger data (e.g., demographic data, passengerbehavior data, etc.), trip data (e.g., pick-up and drop-off locations,fare, trip rating, etc.), client device data, and other data relating tothe services provided by the AV 102 (e.g., delivery service,remote/roadside assistance service, street view service, street patrolservice, street cleaning service, street metering service, parkingreservation service, etc.). The data units 202 may physically reside ona hard disk drive (HDD), solid state drive (SSD), or other suitable typeof storage media.

The partitioner 210 can be a hardware and/or software component thataccesses the data units 202 and partitions them into a collection ofingestion objects 212A, 212B, and 212C (collectively, 212) in which eachingestion object comprises one or more data units that may be logicallyrelated to one other. Although the partitioner 210 is shown aggregatingmultiple data units into a single ingestion object in this example, thepartitioner 210 can additionally or alternatively segment a single dataunit into multiple ingestion objects in other embodiments.

In some embodiments, the operation of the partitioner 210 can bedynamically configured (e.g., by the AV 102, the AV servicing station150, the data center 160, etc.) based on a current state of the AV 102,the AV servicing station 150, and/or the data center 160. For example,the partitioner 210 can be adjusted to generate the ingestion objects tobe a size depending on the current network bandwidth of the AV 102, theAV servicing station 150, and/or the data center 160.

The transformer 220 can be hardware and/or software component thatprocesses the ingestion objects 212 to generate manifests 222A, 222B,and 222C (collectively, 222) corresponding respectively to transformedobjects 224A, 224B, and 224C (collectively, 224). The transformer 220can perform various transformations on the ingestion objects 212, suchas missing value processing (e.g., ignoring data points having missingfeature values, substituting missing values with dummy values, mean,mode, median, etc.), deduplication (e.g., deleting or aggregatingduplicate or redundant or insignificant data points), outlier or noiseprocessing (e.g., binning, regression, deleting outliers or noise,etc.), generalization (e.g., converting specific data points to lessspecific data points, such as translating a Global Positioning System(GPS) coordinate to a street address, city, state, country, etc.),rescaling (e.g., normalization, standardization, min-max scaling, etc.),aggregation (e.g., summarizing or consolidating data, such as combiningmultiple instances of sensor detected every second for ten minutes intoa single instance representing a ten-minute span), discretization (e.g.,converting continuous values to discrete values, binning, binarization,etc.), encryption, decryption, non-linear transformations (e.g., mappingdata values to a uniform distribution, Gaussian distribution, etc.), andso forth.

The manifests 222 can describe the history of the transformed objects224, such as providing a listing of the raw data units 202 that make upthe ingestion objects 212 from which the transformed objects 224originated, the transformation logic that was applied to the ingestionobjects 212, the results and performance of the transformations, and soforth. The manifests 222 can also include checksums, hashes, errordetection codes, digital signatures, CRCs, or other data verifying theintegrity of the transformed objects 224. In some embodiments, themanifests 222 may be small in size (e.g., Kilobytes) relative to thetransformed objects 224 (e.g., Gigabytes).

In some embodiments, the operation of the transformer 220 can also bedynamically configured (e.g., by the AV 102, the AV servicing station150, the data center 160, etc.) based on a current state of the AV 102,the AV servicing station 150, and/or the data center 160. For example,the transformer 220 can be adjusted to perform certain transformationsor to skip certain transformations depending on the processing andmemory resources available to the AV 102, the AV servicing station 150,and/or the data center 160, such as when there may be higher priorityprocesses executing concurrently.

The offloader 230 can be hardware and/or software component thattransmits first copies of the manifests 222A-1, 222B-1, and 222C-1(collectively, 222-1) directly to the data center 160 and second copiesof the manifests 222A-2, 222B-2, and 222C-2 (collectively, 222-2) andthe respectively corresponding transformed objects 224A, 224B, and 224Cto the AV servicing station 150. In some embodiments, after theoffloader 230 has successfully transmitted the first copies of themanifests 222-1 directly to the data center 160 and the second copies ofthe manifests 222-2 and the corresponding transformed objects 224 to theAV servicing station 150, the offloader 230 can free up the data units202 corresponding to the transformed objects 224 stored in the AVstorage system 200 (e.g., delete the data units, mark the data units sothey can be overwritten, etc.).

FIG. 3 illustrates an example of an implementation of the AV datamanagement platform appliance 152 for the AV servicing station 150. TheAV data management platform appliance 152 can include a storage system300 and an upload engine 310. The storage system 300 can be similar tothe AV storage system 200 in many respects but may be capable of storingmore data than the AV 102 because the storage system 300 may be sharedby more than one AV. The storage system 300 can receive the manifests222-2 and their corresponding transformed objects 224 from the offloader230 and transmit them to the upload engine 310. Some advantages of thisdesign are that the AV can be outfitted with less storage because of theability to offload AV data to the AV servicing station 150, AVs can havelarge offload rates even during peak hours because the AVs can offloadAV data over a local network connection, and offload rates can beindependent of the network bandwidth between the AV servicing station150 and the data center 160.

The upload engine 310 can be a hardware and/or software component thatcan monitor the storage system 300 and move the manifests 222-2 andtheir corresponding transformed objects 224 from the storage system 300to the data center 160. In some embodiments, the upload engine 310 canbe designed to include multiple uploader processes 312A, 312B, and 312C(collectively, 312) that can run concurrently in the same AV servicingstation without interfering with each other. In this example, the uploadengine 310 may be managed from the data center 160 to coordinate amongthe uploader processes 312 to write AV data to the data center 160 asdiscussed further below with respect to FIG. 4 and elsewhere in thepresent disclosure.

As discussed, the second copies of the manifests 222-2 are likely toarrive at the data center 160 before the AV 102 completes uploading theassociated transformed objects 224 because of their relative sizes.Thus, if there is a data error, the AV 102 is still located at the AVservicing station 150 so that the AV 102 can try re-uploading thetransformed objects 224 again or, if the error is more significant, theAV 10 can remain at the AV servicing station 150 so that the error maybe addressed without further data loss. If the upload engine 310successfully transmits the AV data to the data center 160, the uploadengine 310 can erase the manifests 222 and their correspondingtransformed objects 224 from the storage system 300 or enable them to beoverwritten.

In some embodiments, the operation of the upload engine 310 can also bedynamically configured (e.g., by the AV 102, the AV servicing station150, the data center 160, etc.) based on a current state of the AV 102,the AV servicing station 150, and/or the data center 160. For example,the upload engine 310 can be adjusted to minimize CSP costs by runningthe uploader processes 312 during periods of time when CSP networkingcosts are at their lowest (e.g., off-peak or non-business hours) and/orhibernating the uploader processes 312 during periods of time when CSPnetworking costs are at their highest.

FIG. 4 illustrates an example of an implementation of the AV datamanagement platform 170. The AV data management platform 170 can includea manifest storage system 400, a distributed lock service 410, areconciler 420, an AV data storage system 430, an SLA service 440, andthe user interface 154. The manifest storage system 400 and the AV datastorage system 430 can be similar to the AV storage system 200 and/orthe storage system 300 in many respects but are capable of storingseveral degrees of magnitude more manifests and transformed objects,respectively, than the AV 102 and/or the AV servicing station 150because the manifest storage system 400 and the AV data storage system430 may be shared by a network of AV servicing stations and a fleet ofAVs and store AV data over lengthier periods of time (e.g., months oryears versus hours). But the AV data storage system 430 is typicallycapable of storing more data than the manifest storage system 400because the manifests 222 are generally smaller in size than thetransformed objects 224. In this example, the manifest storage system400 can receive the manifests 222-1 from the offloader 230 in real-timeor near real-time, and register them.

The distributed lock service 410 can be a hardware and/or softwarecomponent that allows its clients (e.g., the uploader processes 312) tosynchronize their activities and to agree on basic information abouttheir environment. The distributed lock service 410 can comprise aserver cluster and a library to which the uploader processes 312 canlink. The server cluster can comprise a small set of servers (e.g., 5),which may be referred to as replicas and which may be configured toreduce the likelihood of correlated failure (e.g., located in differentracks). The replicas can use a distributed consensus protocol (e.g.,Paxos) to elect a master, which is the replica that can obtain votesfrom the majority of the replicas and can promise that those replicaswill not elect a different master for an interval of time (e.g., a fewseconds) (sometimes referred to as a master lease). The master lease canbe periodically renewed by the replicas if the master continues to win amajority of the votes. The replicas can maintain copies of a simpledatabase but only the master may initiate reads and writes of thisdatabase. Other replicas may copy updates from the master, which can besent using the consensus protocol.

The uploader processes 312 can find the master by sending masterlocation requests to the replicas via Domain Name System (DNS).Non-master replicas can respond to these requests by returning theidentity of the master. Once an uploader process has located the master,the uploader process can direct all requests to the master until themaster ceases to respond or indicates that it is no longer the master.Write requests can be propagated via the consensus protocol to thereplicas, and the write requests can be acknowledged when the write hasreached a majority of replicas in the cluster. Read requests can besatisfied by the master, and should be safe if the master lease has notexpired. If a master fails, the other replicas can run the electionprotocol when their master leases expire.

The distributed lock service 410 can expose a file system similar toUNIX® in which each file and directory can operate as a lock such thateither one uploader process can hold it in write mode, or any number ofthe uploader processes 312 can hold the lock in read mode. The uploaderprocesses 312 can subscribe to a range of events when they create ahandle. These events can be delivered to the uploader processesasynchronously via an up-call from the client library. Some examples ofevents include file contents modified, child node added, removed, ormodified, and the master failed over, among others.

The reconciler 420 can be a hardware and/or software component thatreceives the manifests 222-1 from the manifest storage system 400 andthe manifests 222-2 from the uploader processes 312, and attempt toreconcile them. For example, the reconciler 420 can subscribe to themanifest registry and attempt to match the manifests 222-1 upon arrivalof the manifests 222-2. When then there is a match, such as with themanifests 222A-1 and 222A-2 and 222B-1 and 222B-2, then the AV storagesystem 430 can store their associated transformed object s 224A and 224Bupon completing upload.

If there is no match, as in the case between the manifest 222C-1 and222C-2, then the AV data management platform 170 may request the AVservicing station 150 re-upload the manifest 222C-1. If after a numberof attempts to re-upload the manifest 222C-2 has failed, there may be amore serious problem. To ensure that the error is consequential enoughto keep the AV 102 at the servicing station, the reconciler 420 canrequest for an SLA from the SLA service 440 corresponding to the currentcircumstances. In general, an SLA is a contract between a serviceprovider and a customer setting the terms by which the provider makesits services available to the customer. The SLA can define the serviceor services provided or requested and service level parameters to ensurea specified Quality of Service (QoS) level agreed to by the parties,among other terms. In this example, the SLA service 440 can identifysituations where data errors are critical. For instance, if thetransformed object 222C-2 corresponds to data captured by a sensornecessary to operate the AV 102 safely, then the AV data managementplatform 170 can dock the AV 102 at the AV servicing 150 for furtherdiagnosis. In this case, the error may be insignificant such that the AVdata management platform 170 can discard the transformed object 224C butgenerate a notification for transmission to the user interface 154 tofollow up at a later time.

In addition to controlling the circumstances under which it may beimperative to keep the AV 102 in the AV servicing station 150, the SLAservice 440 can also maintain more conventional SLAs, such as high-levelcriteria including availability, reliability, security, pricing,performance, and other measures of broad applicability, and lower-levelcriteria, such as response time, throughput, bandwidth, latency, jitter,error rate, downtime per week, Mean Time to Repair (MTTR), Mean TimeBetween Failure (MTBF), and other measures of more specificapplicability. For example, an SLA can set forth the maximum length oftime between receiving a first copy of a manifest and a second copy ofthe manifest. The reconciler 420 can monitor this SLA provision andgenerate a notification for transmission to user interface 154 when theSLA provision is violated.

FIGS. 5A and 5B illustrate an example of a process 500 for managing AVdata. One of ordinary skill will understood that, for any flow, method,or process discussed herein, there can be additional, fewer, oralternative steps performed in similar or alternative orders, or inparallel, within the scope of the various embodiments unless otherwisestated. The process 500 can be performed at least in part by the AV 102,the AV data management platform agent 120, the AV servicing station 150,the AV data management platform appliance 152, the data center 160,and/or the AV data management platform 170.

The process 500 can begin with the AV 102 capturing raw data (e.g.,sensor data, battery or fuel consumption data, navigational data,traffic conditions, road conditions, weather conditions, or other datarelating to the AV 102) using one or more its instruments (e.g.,sensors, actuators, mechanical systems, computing systems, etc.). Insome embodiments, the raw data units can also include passenger data(e.g., demographic data, passenger behavior data, etc.), trip data(e.g., pick-up and drop-off locations, fare, trip rating, etc.), clientdevice data, and other data relating to the services provided by the AV102 (e.g., delivery service, remote/roadside assistance service, streetview service, street patrol service, street cleaning service, streetmetering service, parking reservation service, etc.).

At step 504, the AV 102 can partition the raw data into one or moreingestion objects 212 for consumption by a separate computing system,such as a computing system incorporated by another AV, an AV servicingstation, a data center, and so forth. In some cases, the AV 102 cancombine multiple raw data units to generate a single ingestion object.Alternatively or in addition, the AV 102 can divide a single raw dataunit into multiple ingestion objects. In some embodiments, partitioningthe raw data units can be dynamically configured based on a currentstate of the AV 102, the AV servicing station 150, and/or the datacenter 160. For example, partitioning can be adjusted to generate theingestion objects to be a size depending on the current networkbandwidth of the AV 102, the AV servicing station 150, and/or the datacenter 160.

The process 500 can proceed to step 506 in which the AV 102 can performone or more transformations on the ingestion objects 212 to generate oneor more transformed objects 224 and manifests 222. For example, the AV102 can perform at least one of missing value processing (e.g., ignoringdata points having missing feature values, substituting missing valueswith dummy values, mean, mode, median, etc.), deduplication (e.g.,deleting or aggregating duplicate or redundant or insignificant datapoints), outlier or noise processing (e.g., binning, regression,deleting outliers or noise, etc.), generalization (e.g., convertingspecific data points to less specific data points, such as translating aGlobal Positioning System (GPS) coordinate to a street address, city,state, country, etc.), rescaling (e.g., normalization, standardization,min-max scaling, etc.), aggregation (e.g., summarizing or consolidatingdata, such as combining multiple instances of sensor detected everysecond for ten minutes into a single instance representing a ten-minutespan), discretization (e.g., converting continuous values to discretevalues, binning, binarization, etc.), encryption, decryption, non-lineartransformations (e.g., mapping data values to a uniform distribution,Gaussian distribution, etc.), and so forth.

The manifests 222 can describe the history of the transformed objects224, such as listing the raw data units 202 that make up the ingestionobjects 212, the transformations performed on the ingestion objects 212,the results and performance of the transformations, and so forth. Themanifests 222 can also include checksums, hashes, or other dataverifying the integrity of the transformed objects 224. In someembodiments, the transformations performed on the ingestion objects 212can be dynamically configured. For example, certain transformations maybe performed or skipped based on the processing and memory resourcesavailable to the AV 102, the AV servicing station 150, and/or the datacenter 160, such as when there may be higher priority processesexecuting concurrently.

At step 508, the AV 102 can offload first copies of the manifests 222 tothe data center 160 at a first time (e.g., in real-time or nearreal-time). By receiving the first copies of manifests 222 in real-timeor near real-time, the AV 102 and/or the data center 160 can immediatelylearn whether the AV 102 is having issues with its data processingpipeline and address the problems if they are significant (e.g., violatean SLA).

At step 510, the AV 102 can receive servicing at the AV servicingstation 150 (e.g., recharge or refuel, maintenance, offload its locallystored data, etc.). The locally stored data can include second copies ofthe manifests 222 and the transformed objects 224. When the AV 102offloads its data at the AV servicing station 150, the servicing stationcan upload the second copies of manifests 222 to the data center 160such that the second copies may arrive while offloading is still inprogress. This can be advantageous if the AV 102 is having data issuesyet remains at the servicing station so that any issues can be directlyaddressed.

At decision block 512, the data center 160 can attempt to reconcilecorresponding pairs of copies of the manifests 222. If the correspondingpairs of manifests 222 match, then the process 500 can proceed todecision block 514 where it can be determined whether offloading of thetransformed objects 224 completed successfully. If so, at step 516, theAV servicing station 150 can notify the AV 102 that it is safe to erasethe manifests 222 and transformed objects 224 that have successfullybeen offloaded, from local storage. A benefit of this approach is thatbecause data integrity has been assured, the AV data management platform170 has the flexibility of when to upload the transformed objects 224.For example, the AV servicing station 150 and/or the data center canschedule uploading of the transformed objects 224 at any time, includingtimes after the AV 102 has left the AV servicing station 150, times whenthere is less network congestion, and/or times when CSP costs areminimal.

If instead the manifests cannot be reconciled, then the process 500 maycontinue to decision block 518 in which it can be determined whether anSLA applies to the current situation. For example, there can be SLAsbased on the types of data corresponding to the transformed objects 224.If the transformed objects 224 correspond to sensors critical for theoperation of the AV, it may be prudent to define an SLA that docks theAV 102 for further diagnosis under these circumstances. As anotherexample, there can be SLAs requiring the transformed objects 224 to beuploaded by a certain time after they have been generated. As yetanother example, there can be SLAs based on the number of offloading oruploading errors related to the AV 102. If there is an applicable SLA,then the process 500 can continue to step 520 in which the AV can bedocked for further diagnosis and process can conclude. If there is noapplicable SLA, then the process 500 can continue to step 522 in whichthe AV data management platform 170 can annotate the error and discardthe transformed object 224 and the process 500 can conclude.

FIG. 6A and FIG. 6B illustrate systems in accordance with variousembodiments. The more appropriate system will be apparent to those ofordinary skill in the art when practicing the various embodiments.Persons of ordinary skill in the art will also readily appreciate thatother systems are possible.

FIG. 6A illustrates an example of a bus computing system 600 wherein thecomponents of the system are in electrical communication with each otherusing a bus 605. The computing system 600 can include a processing unit(CPU or processor) 610 and a system bus 605 that may couple varioussystem components including the system memory 615, such as read onlymemory (ROM) 620 and random access memory (RAM) 625, to the processor610. The computing system 600 can include a cache 612 of high-speedmemory connected directly with, in close proximity to, or integrated aspart of the processor 610. The computing system 600 can copy data fromthe memory 615, ROM 620, RAM 625, and/or storage device 630 to the cache612 for quick access by the processor 610. In this way, the cache 612can provide a performance boost that avoids processor delays whilewaiting for data. These and other modules can control the processor 610to perform various actions. Other system memory 615 may be available foruse as well. The memory 615 can include multiple different types ofmemory with different performance characteristics. The processor 610 caninclude any general purpose processor and a hardware module or softwaremodule, such as module 1 632, module 2 634, and module 3 636 stored inthe storage device 630, configured to control the processor 610 as wellas a special-purpose processor where software instructions areincorporated into the actual processor design. The processor 610 mayessentially be a completely self-contained computing system, containingmultiple cores or processors, a bus, memory controller, cache, etc. Amulti-core processor may be symmetric or asymmetric.

To enable user interaction with the computing system 600, an inputdevice 645 can represent any number of input mechanisms, such as amicrophone for speech, a touch-protected screen for gesture or graphicalinput, keyboard, mouse, motion input, speech and so forth. An outputdevice 635 can also be one or more of a number of output mechanismsknown to those of skill in the art. In some instances, multimodalsystems can enable a user to provide multiple types of input tocommunicate with the computing system 600. The communications interface640 can govern and manage the user input and system output. There may beno restriction on operating on any particular hardware arrangement andtherefore the basic features here may easily be substituted for improvedhardware or firmware arrangements as they are developed.

The storage device 630 can be a non-volatile memory and can be a harddisk or other types of computer readable media which can store data thatare accessible by a computer, such as magnetic cassettes, flash memorycards, solid state memory devices, digital versatile disks, cartridges,random access memory, read only memory, and hybrids thereof.

As discussed above, the storage device 630 can include the softwaremodules 632, 634, 636 for controlling the processor 610. Other hardwareor software modules are contemplated. The storage device 630 can beconnected to the system bus 605. In some embodiments, a hardware modulethat performs a particular function can include a software componentstored in a computer-readable medium in connection with the necessaryhardware components, such as the processor 610, bus 605, output device635, and so forth, to carry out the function.

FIG. 6B illustrates an example architecture for a chipset computingsystem 650 that can be used in accordance with an embodiment. Thecomputing system 650 can include a processor 655, representative of anynumber of physically and/or logically distinct resources capable ofexecuting software, firmware, and hardware configured to performidentified computations. The processor 655 can communicate with achipset 660 that can control input to and output from the processor 655.In this example, the chipset 660 can output information to an outputdevice 665, such as a display, and can read and write information tostorage device 670, which can include magnetic media, solid state media,and other suitable storage media. The chipset 660 can also read datafrom and write data to RAM 675. A bridge 680 for interfacing with avariety of user interface components 685 can be provided for interfacingwith the chipset 660. The user interface components 685 can include akeyboard, a microphone, touch detection and processing circuitry, apointing device, such as a mouse, and so on. Inputs to the computingsystem 650 can come from any of a variety of sources, machine generatedand/or human generated.

The chipset 660 can also interface with one or more communicationinterfaces 690 that can have different physical interfaces. Thecommunication interfaces 690 can include interfaces for wired andwireless Local Area Networks (LANs), for broadband wireless networks, aswell as personal area networks. Some applications of the methods forgenerating, displaying, and using the technology disclosed herein caninclude receiving ordered datasets over the physical interface or begenerated by the machine itself by the processor 655 analyzing datastored in the storage device 670 or the RAM 675. Further, the computingsystem 650 can receive inputs from a user via the user interfacecomponents 685 and execute appropriate functions, such as browsingfunctions by interpreting these inputs using the processor 655.

It will be appreciated that computing systems 600 and 650 can have morethan one processor 610 and 655, respectively, or be part of a group orcluster of computing devices networked together to provide greaterprocessing capability.

For clarity of explanation, in some instances the various embodimentsmay be presented as including individual functional blocks includingfunctional blocks comprising devices, device components, steps orroutines in a method embodied in software, or combinations of hardwareand software.

In some embodiments the computer-readable storage devices, mediums, andmemories can include a cable or wireless signal containing a bit streamand the like. However, when mentioned, non-transitory computer-readablestorage media expressly exclude media such as energy, carrier signals,electromagnetic waves, and signals per se.

Methods according to the above-described examples can be implementedusing computer-executable instructions that are stored or otherwiseavailable from computer readable media. Such instructions can comprise,for example, instructions and data which cause or otherwise configure ageneral purpose computer, special purpose computer, or special purposeprocessing device to perform a certain function or group of functions.Portions of computer resources used can be accessible over a network.The computer executable instructions may be, for example, binaries,intermediate format instructions such as assembly language, firmware, orsource code. Examples of computer-readable media that may be used tostore instructions, information used, and/or information created duringmethods according to described examples include magnetic or opticaldisks, flash memory, USB devices provided with non-volatile memory,networked storage devices, and so on.

Devices implementing methods according to these disclosures can comprisehardware, firmware and/or software, and can take any of a variety ofform factors. Some examples of such form factors include general purposecomputing devices such as servers, rack mount devices, desktopcomputers, laptop computers, and so on, or general purpose mobilecomputing devices, such as tablet computers, smart phones, personaldigital assistants, wearable devices, and so on. Functionality describedherein also can be embodied in peripherals or add-in cards. Suchfunctionality can also be implemented on a circuit board among differentchips or different processes executing in a single device, by way offurther example.

The instructions, media for conveying such instructions, computingresources for executing them, and other structures for supporting suchcomputing resources are means for providing the functions described inthese disclosures.

Although a variety of examples and other information was used to explainaspects within the scope of the appended claims, no limitation of theclaims should be implied based on particular features or arrangements insuch examples, as one of ordinary skill would be able to use theseexamples to derive a wide variety of implementations. Further andalthough some subject matter may have been described in languagespecific to examples of structural features and/or method steps, it isto be understood that the subject matter defined in the appended claimsis not necessarily limited to these described features or acts. Forexample, such functionality can be distributed differently or performedin components other than those identified herein. Rather, the describedfeatures and steps are disclosed as examples of components of systemsand methods within the scope of the appended claims.

The invention claimed is:
 1. A computer-implemented method comprising:generating a plurality of ingestion objects based on data captured byone or more sensors; generating, based on the plurality of ingestionobjects, a plurality of transformed objects and a plurality of manifestseach respectively including a history of each transformed object and adata integrity value representing the transformed object; and offloadingone or more copies of at least one of the plurality of manifests or theplurality of transformed objects to one or more remote computingsystems.
 2. The computer-implemented method of claim 1, furthercomprising: offloading, from an autonomous vehicle (AV) to one or moredata center computing systems, a first copy of a manifest associatedwith at least one new transformed object; and offloading, from the AV toone or more AV servicing station computing systems, a second copy of themanifest and the at least one new transformed object.
 3. Thecomputer-implemented method of claim 2, further comprising: determiningthe first copy and the second copy do not correspond; determining aService Level Agreements (SLA) corresponding to the at least one newtransformed object is violated; and docking the AV at an AV servicingstation for diagnosis based on the SLA.
 4. The computer-implementedmethod of claim 2, further comprising: determining that no SLA isapplicable to the at least one new transformed object; annotating errorinformation corresponding to offloading or uploading the at least onenew transformed object; and discarding the at least one new transformedobject.
 5. The computer-implemented method of claim 2, furthercomprising: determining a period of time between receiving the firstcopy and the second copy violates an SLA; and docking the AV at an AVservicing station for diagnosis based on the SLA.
 6. Thecomputer-implemented method of claim 2, wherein the SLA specifies atleast one of a criticality of the at least one new transformed object ora maximum number of offload or upload errors.
 7. Thecomputer-implemented method of claim 1, wherein offloading the one ormore copies to the one or more remote computing systems comprises:offloading copies of the plurality of manifests from an AV to one ormore data center computing systems.
 8. The computer-implemented methodof claim 1, wherein offloading the one or more copies to the one or moreremote computing systems comprises: offloading copies of the pluralityof manifests and the plurality of transformed objects from an AV to oneor more AV servicing station computing systems.
 9. Thecomputer-implemented method of claim 1, further comprising: offloading,from an AV to one or more data center computing systems, a first copy ofa manifest associated with at least one new transformed object;determining an SLA is violated based on the first copy; and docking theAV at an AV servicing station for diagnosis based on the SLA.
 10. Thecomputer-implemented method of claim 1, further comprising: determining,by one or more AV servicing station computing systems, an integrityvalue for at least one transformed object of the plurality oftransformed objects that has completed offloading from an AV;reconciling the at least one transformed object based on a comparisonbetween the integrity value and a second copy of a manifestcorresponding to the at least one transformed object; and notifying theAV can erase a first copy of a manifest corresponding to the at leastone transformed object and the at least one transformed object from alocal storage of the AV.
 11. A system comprising: one or moreprocessors; and memory including instructions that, when executed by theone or more processors, cause the system to: generate a plurality ofingestion objects based on data captured by one or more sensors;generate, based on the plurality of ingestion objects, a plurality oftransformed objects and a plurality of manifests each respectivelyincluding a history of each transformed object and a data integrityvalue representing the transformed object; and offload one or morecopies of at least one of the plurality of manifests or the plurality oftransformed objects to one or more remote computing systems.
 12. Thesystem of claim 11, wherein the memory includes instructions that, whenexecuted by the one or more processors, cause the system to: offload,from an autonomous vehicle (AV) associated with the system to one ormore data center computing systems, a first copy of a manifestassociated with at least one new transformed object; and offload, fromthe AV to one or more AV servicing station computing systems, a secondcopy of the manifest and the at least one new transformed object. 13.The system of claim 12, wherein the memory includes instructions that,when executed by the one or more processors, cause the system to:determine the first copy and the second copy do not correspond;determine a Service Level Agreements (SLA) corresponding to the at leastone new transformed object is violated; and dock the AV at an AVservicing station for diagnosis based on the SLA.
 14. The system ofclaim 12, wherein the memory includes instructions that, when executedby the one or more processors, cause: determine that no SLA isapplicable to the at least one new transformed object; annotate errorinformation corresponding to offloading or uploading the at least onenew transformed object; and discard the at least one new transformedobject.
 15. The system of claim 12, wherein the memory includesinstructions that, when executed by the one or more processors, cause:determine a period of time between receiving the first copy and thesecond copy violates an SLA; and dock the AV at an AV servicing stationfor diagnosis based on the SLA.
 16. The system of claim 12, wherein theSLA specifies at least one of a criticality of the at least one newtransformed object or a maximum number of offload or upload errors. 17.The system of claim 11, wherein offloading the one or more copies to theone or more remote computing systems comprises: offloading copies of theplurality of manifests from an AV to one or more data center computingsystems.
 18. The system of claim 11, wherein the memory includesinstructions that, when executed by the one or more processors, causethe system to: determine at least one first copy of a manifest of theplurality of manifests and a corresponding second copy of the manifestmatch; and schedule uploading of a transformed object corresponding tothe manifest between one or more AV servicing station computing systemsand one or more data center computing systems at a time after an AV hascompleted offloading the transformed object to the one or more AVservicing station computing systems.
 19. A non-transitorycomputer-readable storage medium including instructions that, whenexecuted by one or more processors of a computing system, cause thecomputing system to: generate a plurality of ingestion objects based ondata captured by one or more sensors; generate, based on the pluralityof ingestion objects, a plurality of transformed objects and a pluralityof manifests each respectively including a history of each transformedobject and a data integrity value representing the transformed object;and offload one or more copies of at least one of the plurality ofmanifests or the plurality of transformed objects to one or more remotecomputing systems.
 20. The non-transitory computer-readable storagemedium of claim 19, wherein first copies of the plurality of manifestsare offloaded over a first communication channel and second copies ofthe plurality of manifests and the plurality of transformed objects areoffloaded over a second communication channel.